net/python-capport
2
0
Fork 0
Code

improve Origin handling; forbind non-https origins in production

Browse Source
This commit is contained in:
Stefan Bühler 2022-04-11 10:29:17 +02:00
parent 3059a81d56
commit 123e94111d
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/capport/api/views.py
View File

@ -101,16 +101,22 @@ def check_self_origin():
if origin is None: if origin is None:
# not a request by a modern browser - probably curl or something similar. don't care. # not a request by a modern browser - probably curl or something similar. don't care.
return return
origin = origin.lower().strip()
if origin == 'none':
quart.abort(403, 'Origin is none')
origin_parts = origin.split('/') origin_parts = origin.split('/')
# Origin should look like: protocol://hostname (possibly a /path suffix?) # Origin should look like: <scheme>://<hostname> (optionally followed by :<port>)
if len(origin_parts) < 3: if len(origin_parts) < 3:
quart.abort(400, 'Broken Origin header') quart.abort(400, 'Broken Origin header')
origin_host = origin_parts[2].lower() if origin_parts[0] != 'https' and not app.my_config.debug:
# -> require https in production
quart.abort(403, 'Non-https Origin not allowed')
origin_host = origin_parts[2]
host = quart.request.headers.get('Host', None) host = quart.request.headers.get('Host', None)
if host is None: if host is None:
quart.abort(400, 'Missing Host header') quart.abort(403, 'Missing Host header')
if host.lower() != origin_host: if host.lower() != origin_host:
quart.abort(400, 'Origin mismatch') quart.abort(403, 'Origin mismatch')
@app.route('/', methods=['GET']) @app.route('/', methods=['GET'])